[Opendnssec-user] Empty zonelists not permitted?

Sion Lloyd sion at nominet.org.uk
Tue Jul 6 09:30:39 UTC 2010

> We are scripting a push-button DNSSEC service around OpenDNSSEC, as
> foreseen in the project (and its logo).  As part of that, we generate
> kasp.xml and zonelist.xml from scripts.  OpenDNSSEC appears to be quite
> suitable for this!
> We found that empty lists of zones are not welcomed by OpenDNSSEC.  Is
> there a specific reason for this?  We'd prefer if our system wouldn't get
> disrupted in this possible (intermediate) state.
> The same applies to policies -- we generate policies because we group zones
> that need to share a key set in the HSM.  We assign a key set to each
> independent customer of SURFnet.  But if there are no zones, there are no
> groups, and no policies either.  Are we crazy for trying to create an
> empty list of policies in case the list of zones is empty, or are we
> merely exploring new areas?

I had certainly never thought about starting a system with a "blank slate" 
like this; so I am not surprised that it doesn't work.

Without a command to add new policies you presumably have to edit the xml and 
then run "ods-ksmutil update kasp"?


More information about the Opendnssec-user mailing list